CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
904 vulnerabilities reference this CWE, most recent first.
GHSA-FQ34-XW6C-FPHF
Vulnerability from github – Published: 2025-09-08 20:45 – Updated: 2025-09-13 04:41Summary
The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service.
This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected.
Details
The vulnerability has two components:
- Rate limiting uses the immediate connection source IP instead of the actual client IP
- Rate limit counters are maintained in-memory per container rather than in a shared store
In production environments, these issues allow clients to exceed intended rate limits and enable attackers to trigger rate limits on infrastructure IPs, causing legitimate clients to receive 429 responses.
Impact
This vulnerability affects availability, allowing attackers to:
- Bypass rate limits, potentially leading to resource exhaustion
- Cause a denial of service for legitimate clients by deliberately triggering rate limits on infrastructure IPs
Patches
The vulnerability has been patched in Fides version 2.69.1. Users are advised to upgrade to this version or later to secure their systems against this threat.
Workarounds
There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.
Risk Level
This vulnerability has been assigned a severity of MEDIUM.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ethyca-fides"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.69.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57816"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-770",
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-08T20:45:51Z",
"nvd_published_at": "2025-09-08T22:15:33Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service.\n\nThis vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected.\n\n### Details\n\nThe vulnerability has two components:\n\n1. Rate limiting uses the immediate connection source IP instead of the actual client IP\n2. Rate limit counters are maintained in-memory per container rather than in a shared store\n\nIn production environments, these issues allow clients to exceed intended rate limits and enable attackers to trigger rate limits on infrastructure IPs, causing legitimate clients to receive 429 responses.\n\n### Impact\n\nThis vulnerability affects availability, allowing attackers to:\n\n- Bypass rate limits, potentially leading to resource exhaustion\n- Cause a denial of service for legitimate clients by deliberately triggering rate limits on infrastructure IPs\n\n### Patches\n\nThe vulnerability has been patched in Fides version `2.69.1`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\n\nThere are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.\n\n### Risk Level\n\nThis vulnerability has been assigned a severity of MEDIUM.",
"id": "GHSA-fq34-xw6c-fphf",
"modified": "2025-09-13T04:41:24Z",
"published": "2025-09-08T20:45:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57816"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethyca/fides"
},
{
"type": "WEB",
"url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fides Webserver API Rate Limiting Vulnerability in Proxied Environments"
}
GHSA-FWXJ-C833-3V48
Vulnerability from github – Published: 2025-04-14 09:30 – Updated: 2025-04-16 12:31A vulnerability classified as problematic has been found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected is an unknown function of the file /login.php. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-3555"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T07:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected is an unknown function of the file /login.php. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-fwxj-c833-3v48",
"modified": "2025-04-16T12:31:18Z",
"published": "2025-04-14T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3555"
},
{
"type": "WEB",
"url": "https://github.com/Maloyroyorko/E-commerce-3.0-user-bruter"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.304596"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.304596"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.549168"
},
{
"type": "WEB",
"url": "https://www.websecurityinsights.my.id/2025/04/script-and-tools-ecommerce-30-loginphp.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FWXV-G739-M9FM
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2020-25196"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-23T15:15:00Z",
"severity": "CRITICAL"
},
"details": "The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication.",
"id": "GHSA-fwxv-g739-m9fm",
"modified": "2022-05-24T17:37:04Z",
"published": "2022-05-24T17:37:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25196"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G234-R5WX-QX69
Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-02-04 00:00A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to gain unauthorized access to the charging station web interface by performing brute force attacks. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
{
"affected": [],
"aliases": [
"CVE-2021-22818"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-28T20:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to gain unauthorized access to the charging station web interface by performing brute force attacks. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)",
"id": "GHSA-g234-r5wx-qx69",
"modified": "2022-02-04T00:00:44Z",
"published": "2022-01-29T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22818"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G2W3-6C6J-74QW
Vulnerability from github – Published: 2024-11-12 03:30 – Updated: 2024-11-12 03:30SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.
{
"affected": [],
"aliases": [
"CVE-2024-47592"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T01:15:05Z",
"severity": "MODERATE"
},
"details": "SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.",
"id": "GHSA-g2w3-6c6j-74qw",
"modified": "2024-11-12T03:30:48Z",
"published": "2024-11-12T03:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47592"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3393899"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G34J-4GVG-FPGM
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-29 00:00An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.
{
"affected": [],
"aliases": [
"CVE-2022-24689"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T13:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.",
"id": "GHSA-g34j-4gvg-fpgm",
"modified": "2022-07-29T00:00:41Z",
"published": "2022-07-19T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24689"
},
{
"type": "WEB",
"url": "https://dsk.lu/fr/produits/temps-de-presence"
},
{
"type": "WEB",
"url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G44V-6QFM-F6CH
Vulnerability from github – Published: 2023-03-21 06:30 – Updated: 2023-03-27 22:10Guessable CAPTCHA in GitHub repository answerdev/answer prior to 1.0.6.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/answerdev/answer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1539"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-804"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-21T22:32:31Z",
"nvd_published_at": "2023-03-21T05:15:00Z",
"severity": "MODERATE"
},
"details": "Guessable CAPTCHA in GitHub repository answerdev/answer prior to 1.0.6.",
"id": "GHSA-g44v-6qfm-f6ch",
"modified": "2023-03-27T22:10:58Z",
"published": "2023-03-21T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1539"
},
{
"type": "WEB",
"url": "https://github.com/answerdev/answer/commit/813ad0b9894673b1bdd489a2e9ab60a44fe990af"
},
{
"type": "PACKAGE",
"url": "https://github.com/answerdev/answer"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/b4df67f4-14ea-4051-97d4-26690c979a28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Answer has Guessable CAPTCHA"
}
GHSA-G45J-9379-J77G
Vulnerability from github – Published: 2026-06-01 06:30 – Updated: 2026-06-01 06:30A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-10216"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T04:16:20Z",
"severity": "LOW"
},
"details": "A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-g45j-9379-j77g",
"modified": "2026-06-01T06:30:25Z",
"published": "2026-06-01T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10216"
},
{
"type": "WEB",
"url": "https://github.com/unitedbyai/droidclaw/issues/14"
},
{
"type": "WEB",
"url": "https://gist.github.com/YLChen-007/2639ccaefd55ef4309953b76bc4c737e/raw"
},
{
"type": "WEB",
"url": "https://github.com/unitedbyai/droidclaw"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-10216"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/821936"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367495"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367495/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G66J-37WX-VRJ5
Vulnerability from github – Published: 2026-03-17 18:30 – Updated: 2026-03-17 18:30JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.
{
"affected": [],
"aliases": [
"CVE-2026-32295"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-17T18:16:16Z",
"severity": "CRITICAL"
},
"details": "JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.",
"id": "GHSA-g66j-37wx-vrj5",
"modified": "2026-03-17T18:30:33Z",
"published": "2026-03-17T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32295"
},
{
"type": "WEB",
"url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network"
},
{
"type": "WEB",
"url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G6Q4-W3J3-JFC4
Vulnerability from github – Published: 2024-09-05 15:33 – Updated: 2024-09-06 21:57A vulnerability was found in Windmill 1.380.0. It has been classified as problematic. Affected is an unknown function of the file backend/windmill-api/src/users.rs of the component HTTP Request Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.390.1 is able to address this issue. The patch is identified as acfe7786152f036f2476f93ab5536571514fa9e3. It is recommended to upgrade the affected component.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/windmill-labs/windmill"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.61.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8462"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-06T21:57:28Z",
"nvd_published_at": "2024-09-05T13:15:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Windmill 1.380.0. It has been classified as problematic. Affected is an unknown function of the file backend/windmill-api/src/users.rs of the component HTTP Request Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.390.1 is able to address this issue. The patch is identified as acfe7786152f036f2476f93ab5536571514fa9e3. It is recommended to upgrade the affected component.",
"id": "GHSA-g6q4-w3j3-jfc4",
"modified": "2024-09-06T21:57:28Z",
"published": "2024-09-05T15:33:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8462"
},
{
"type": "WEB",
"url": "https://github.com/windmill-labs/windmill/commit/acfe7786152f036f2476f93ab5536571514fa9e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/windmill-labs/windmill"
},
{
"type": "WEB",
"url": "https://github.com/windmill-labs/windmill/releases/tag/v1.390.1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3118"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.276630"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.276630"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.401826"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Windmill HTTP Request users.rs excessive authentication in github.com/windmill-labs/windmill"
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.